Does Your Organization Need Cyberinsurance?
In the past decade, alongside the increased importance of digital tools for business, a new category of insurance has sprung up to cover digital data breaches and liability. With the average total cost of data breaches reaching $4 million dollars and the average cost of each lost or stolen digital record increasing to $158, it is clear that experiencing a data breach is an expensive affair.
While dedicated security response teams and encryption do decrease these costs, and IPS/IDS systems and other security measures can help reduce the risk, many organizations will still experience a data breach at some point.
Cyberinsurance can help mitigate the cost of a data breach by reimbursing your company for legal fees, helping with the cost of crisis management and investigation, notification costs, extortion liability fees, and third party damages relating to network or system outages. But does every organization need cyberinsurance?
Cyberinsurance Basics: Going Beyond General Liability
Your business likely already has general liability insurance to cover injury, property damage, and some other risks from your everyday services, operations, and products. However it often specifically excludes damages from cybersecurity related causes. Cyberinsurance comes in a number of flavors and has a premium cost between $1000 and $50,000 depending on your coverage and risk level, much of which is tied to the size of your company and the nature of your business.
Cyberinsurance is an evolved form of Errors and Omissions, a form of insurance that you may already have. Dating back decades, E&O covers any claims generated from service errors, like the disruption of your digital services. This also covers service problems from more office-oriented industries like legal, medical, or engineering. Eventually some E&O policies included coverage for network outages, unauthorized system access, or viruses.
Depending on the type of cyberinsurance you choose, it will cover:
- investigation of the data breach, including hiring of a third party digital forensics firm, repairing and supplementing the data breach attack vector, and coordination with law enforcement agencies as required
- monetary losses related to the business, such as any loss of revenue from your service being inaccessible by customers, loss of customer revenue, network downtime, the recovery of any lost data, and the restoration of functional hardware and software systems
- coverage for third-party claims, like damages from a business that uses your services and was affected by the breach as well as any regulatory penalties
- notification and public relations costs, including hiring of professionals to try and avoid damage to your organization’s reputation and communicating to affected customers and the public the extent of the breach
- extortion related costs, as in the case of ransomware
Is Cyberinsurance a Good Idea For Your Organization?
Any business that performs a significant portion of its operations digitally should take a hard look at cyberinsurance. If you store or handle personal identifying information (PII) or personal health information (PHI) on a computer system, even if that system is operated by a third party service provider, cyberinsurance might be wise. This includes customer names, addresses, credit card processing, and so forth.
Talk to your broker about what your current general liability and/or E&O coverage might cover in the case of a digital incident. Consider how much information you might be processing or storing regularly. If you are a smaller organization, the additional cost may not be worth it compared to the risks — but consider that 43% or more of cyber attacks target small businesses.
How to Start Shopping for Cyberinsurance
Take a hard look at your existing cybersecurity measures before approaching a broker. What can you implement to minimize your risks and in turn minimize your deductible and premium? Do you have hardened and up-to-date software and hardware? Do you monitor your systems? Have you added IPS/IDS? Are your employees trained about security best practices, including avoiding phishing and social engineering? Have you had a threat assessment performed?
Talk to multiple insurance providers. Some of them may want to perform audits of their own on your IT systems. If one doesn’t have the coverage you think you need, move on. Compare deductibles and premiums, naturally, but also be aware of sublimits on fines, penalties, or other limits. These could include a maximum sublimit payout for regulatory fines; or that your network must be down for a minimum of 12 hours in order for coverage to kick in.
Ask about how making a claim — or not making one in a given year — might affect your premium. Inquire as to their guidance process around making smart security choices for your company. Some insurance providers may have special requirements like encryption, or may exclude internal breaches from employees. While more complicated to implement, a very detailed policy helps you avoid expensive liability.
Cyberinsurance is an evolving field, but it is becoming more essential to businesses of all sizes, especially as Software as a Service and other cloud-based services become commonplace. In the light of major breaches occurring every year, it may be wise to re-examine your business insurance to see if cyberinsurance coverage makes sense for you.